Mark Maxey, Director, Vulnerability and Analysis Team, Rob Dixon, Principal Security Consultant and Jason Clark, Chief Security and Strategy Officer discuss the state of the security industry post-Hearbleed after the recent release of their white paper.
You recently released a white paper advising on the Heartbleed vulnerability. What are the key things companies should know?
Mark Maxey: Heartbleed affects a tremendous number of appliances and non-traditional systems that may expose organizations to attack. This includes devices such as VOIP phones, physical security systems and many other Linux-based appliances. Accuvant recommends the use of multiple tools to assess the infrastructure for the Heartbleed vulnerability. For many non-traditional systems authenticated scans to check patch levels are inadequate or may not be possible in some cases. For high-value systems we recommend engaging a third party to assist if an organization does not have the tools and resources internally. The usage of proof of concept tools in conjunction with commercial vulnerability scanners can provide adequate coverage.
Post-Heartbleed, what do you see as the next challenges that the security community will face, and how is Accuvant positioning themselves to deal with them?
Rob Dixon: Heartbleed has rekindled an interest in research of widely used packages like OpenSSL. The entire security community was shocked that a bug of this magnitude was not identified sooner in a mainstream piece of software. An event like Heartbleed likely will drive organizations to reassess the maturity of their threat intelligence technologies and processes to include vulnerability, threat and security event management, as well as incident response. Organizations need to effectively and efficiently prioritize their response efforts. They will be looking at threat intelligence solutions, revisit full packet capture, malware analysis, incident response activities and plans, among others. Accuvant can help organizations identify the right products to fit their needs and implement those technologies effectively. In addition, we can help organizations assess their exposure to known high-profile vulnerabilities like Heartbleed and the unknown through our assessment offerings.
You'll be at Black Hat USA. What are you excited about at the show, and how can companies connect with you there?
Jason Clark: At Black Hat USA this year, I look forward to the reunion with many of my information security friends and hearing presentations from the best technical minds in the industry. I'm excited about the event moving to a different and larger venue, as it shows how much this annual gathering has grown. As a platinum sponsor of the event, Accuvant will have a significant presence through our booth (#635) and various other activities we are planning for that week.
Jeff Man, Product Marketing Manager and Gavin Millard, Technical Director of Tenable discuss the use of the cloud in modern security, and their recent research that shows the importance of metrics in informed security policy decisions.
You've been adding cloud features to your suite of products (Nessus). How does this aid companies in increasing network security?
Jeff Man: Traditional vulnerability management products are unable to detect, monitor and secure IT assets across cloud and hybrid infrastructure because of the fluid nature of virtual environments. Not only has the attack surface become larger, it has also become a moving target.
Tenable believes there are three essential elements for providing network security. The first element is to know what is on your network by performing asset discovery. The second is the ability to perform continuous vulnerability monitoring of all these assets. The third element is to provide context by including not just exposure to vulnerabilities but compliance violations, threats, and indicators of compromise. We have enhanced our solutions to extend these three elements across hybrid environments. Tenable's products give companies the ability to perform 100% asset discovery across physical, virtual and cloud data centers. They are also able to perform continuous monitoring of all these assets, particularly cloud applications and transient devices that comprise private/hybrid cloud networks. Tenable Nessus is being integrated into the major cloud and virtual environments that companies are using. For example, Nessus is available as an Amazon AMI to bring vulnerability management to the AWS platform, and has also been integrated with VMWare ESX/ESXi and vCenter to monitor and manage the security of virtualized cloud environments, including checks on vulnerabilities and configuration holes present in the virtual platform.
Tenable has solutions to meet these demands regardless of the size or complexity of your network, or the limited resources that are available to procure or administer these solutions.
Your research has recently revealed that "54 percent of companies in the UK are using incorrect metrics when trying to determine their IT security status, providing a false picture of the organisation's vulnerabilities and risk, driving the wrong behavior." how can companies deal with this?
Gavin Millard: In our recent study of 400 companies based in the UK and Germany, it was encouraging to see that almost all organizations we spoke to are now turning to metrics to measure the effectiveness of their security controls and frequently reporting the key findings to the CEO and Board of Directors. Unfortunately some of the metrics collected are either ineffective or flawed, the main culprit from the survey being "amount of malware detected" which, without other supporting measures, gives a confusing picture on the health of the control - if the malware count goes down, does this mean malware is being missed or that the organization is under less attack?
Turning to SANS Critical Security Controls as a best practice, there are far more effective metrics to choose from for most of the twenty controls. On the malware example "Percentage of systems with anti-malware deployed, enabled and up to date" can give a better view of how widely the control is used and where coverage issues need to be addressed.
You'll be at Black Hat USA. What are you excited about at the show, and how can companies connect with you there?
Jeff Man: Tenable is looking forward to participating in Black Hat 2014 and connecting with the information security community about how to stay ahead of emerging vulnerabilities, threats and compliance-related risks. Our Nessus and SecurityCenter solutions continue to set the standard for identifying vulnerabilities, preventing attacks and complying with a multitude of regulatory requirements.
Attendees can meet with Tenable experts like Jack Daniel at our booth and attend our sessions. Tenable will also have a one hour session inside of the Business Hall (please consult the event guide for details).
Tenable will also have a one hour session inside of the exhibit hall (please consult the event guide for details).
Andrew Brandt, Director of Threat Research discusses the company's partnerships with AT&T and Guidance Software, touching on the use of the cloud and the company's plans for Black Hat USA.
You're working with AT&T on cloud security. How does the cloud aid companies in increasing network security?
Andrew Brandt: We're excited to be working with AT&T. Blue Coat and AT&T are extending their strategic partnership to enable businesses to use the best technologies available.
AT&T has built its Cloud Web Security offering on the Blue Coat Cloud Service – which delivers the robust web and mobile device security businesses require as they extend their applications to the cloud and look to deploy new interactive, mobile technologies that drive customer retention and market expansion.
The new offering provides real-time protection against viruses, malware, and compromised web sites --- all without the need for on-site equipment. It also enables customers to enforce consistent global security policies across wired, roaming, and mobile environments. This enhancement to AT&T's portfolio of managed security solutions will help organizations deploy new secure, cost-effective cloud service and web applications.
We believe this is a model for other service providers that are looking to roll out enterprise-class cloud offerings.
Reduced budgets, staff/skill shortages, and growing compliance and regulatory demands are forcing IT organizations to do more with less. Cloud-based security solutions allow customers to get more value from their IT staff to secure enterprise and employee assets.
You've also joined forces with Guidance Software to integrate EnCase Cybersecurity with the Security Analytics Platform. How do they complement each other?
Andrew Brandt: Great question. We're partnering with Guidance Software to deliver a groundbreaking approach for detecting evasive cyber threats. The partnership will integrate EnCase Cybersecurity with the Blue Coat Security Analytics Platform to provide an unprecedented level of visibility into both network traffic and endpoint devices that will enable enterprises to close the gap between breach and detection. This is crucial in today's world where the new normal is enterprises facing new threats on almost a daily basis.
The combined Blue Coat Security Analytics Platform and EnCase Cybersecurity solution will enable enterprises to gain a 360-degree view of all endpoint data and network traffic across their organizations—allowing proactive identification and remediation of threats that have bypassed traditional security technologies. As a result, organizations will be able to rapidly correlate data-in-motion with data-at-rest, and share actionable intelligence across information security stakeholders. The result is a dramatic reduction in the time needed to detect and remediate incidents.
You'll be at Black Hat USA. What are you excited about at the show, and how can companies connect with you there?
Andrew Brandt: Black Hat provides a great opportunity to learn about the latest in security research, development, and trends. It is especially exciting to have the chance to meet and connect with some of the smartest researchers around. The security space is moving so fast—Black Hat is where you really see how rapidly innovation is happening. To connect with Blue Coat at the conference, stop by our booth. People can also reach out to us anytime via Twitter (@bluecoat), LinkedIn or Facebook. People can also contact me via Twitter-- @threatresearch.
Mike Reagan, Chief Marketing Officer talks about LogRhythm's commitment to quality of life for its employees, and the oft-overlooked challenge of insider threats for security companies.
You were just announced as one of Denver's top workplaces. How does LogRhythm ensure its staff's quality of life, and how important is that in the security industry?
Mike Reagan: One of LogRhythm's core values, established by our founders and CEO over eight years ago, is to create a company where employees want to work. To that end, we've been committed to sustaining a work environment that fosters innovation, collaboration and tenacity in a customer-centric culture focused on delivering world-class solutions that solve critical, real-world challenges. We also firmly believe that supporting a healthy work-life balance for all employees is essential. Offering unique employee at-work benefits such as "Loga" (LogRhythm's version of yoga) and Tai Chi classes, cruiser bikes to take on the adjacent Boulder Creek path into downtown Boulder, weekly catered lunches for all employees and a fully equipped on-site workout facility, help employees sustain that work-life balance. Additionally, we recognize that situations arise outside the work place that warrant flexibility. One employee described that aspect of our culture in the following way "When life happens, LogRhythm understands."
Remaining committed to that core value and continuing to deliver on it, creates a tangible competitive advantage for LogRhythm as we further expand our staff of top notch cyber security experts, a skill set that is very high demand and short on supply.
Your research has recently revealed that companies (specifically in the UK in this case) are ill-equipped to deal with insider threats (" more than a third (36 percent) of IT professionals believe employees would access or steal confidential information, yet 38 percent do not have, or know of, any systems in place to stop employees accessing unauthorized data.") How can companies deal with this?
Mike Reagan: There are a number of technologies that have emerged recently, such as Cisco's Identity Services Engine (ISE,) that can help organizations control access to sensitive information and resources. But regardless of the tools being deployed to limit the risk, continuous monitoring of all enterprise activity coupled with advanced machine analytics can shine a spotlight on the anomalous behavior indicative of insider threats that would otherwise be blind spots for most organizations.
LogRhythm's Security Intelligence Platform combines next gen SIEM, file integrity monitoring, host forensics and network forensics with machine analytics to provide the most pervasive visibility and actionable intelligence to combat advanced cyber threats -- including those that originate from insiders.
You'll be at Black Hat USA. What are you excited about at the show, and how can companies connect with you there?
Mike Reagan: Black Hat has always been one of the best venues for our cyber security experts to connect with and learn from their peers from across the industry. Our LogRhythm Labs team will be there in force to both share our latest threat research and to collaborate with customers, partners and peers. On the heels of receiving Cyber Defense Magazine awards for "Most Innovative SIEM" and "Best Product in Forensics," we're excited to showcase some recent product innovations including our new Identity Inference Engine, our new user experience (UX) for web and tablet, as well as a number of new knowledge modules including our Retail Cyber Threat, Privileged User Monitoring and APT Detection & Response modules.
Make plans to visit LogRhythm at BOOTH #641 at Black Hat to find out how we can help your company detect and defend against today's most sophisticated cyber threats. We're looking forward to another really good show this year.
Russ Spitler, VP of Product Strategy discusses AlienVault's "unified approach" to security, in particular highlighting the company's uinique crowd-sourced threat database.
What does it mean for companies to adopt a "unified approach" to security?
Russ Spitler: A unified approach to security means that you have all the essential security tools in one affordable, easy to use offering plus the threat intelligence and sharing required to effectively defend your organization or business against today's advanced threats. AlienVault's products are designed to enable mid-market businesses and organizations to do just that. By building the best open source security tools into one Unified Security Management platform, and then powering the platform with up-to-the minute threat intelligence from AlienVault Labs and our Open Threat Exchange (OTX™) – the world's largest crowd-sourced collaborative threat exchange – AlienVault provides its customers with a unified, simple and affordable solution for threat detection and compliance management.
You developed the Open Threat Exchange. How important is this kind of "crowd-sourced" intelligence sharing, and how do you see it growing in future?
Russ Spitler: Crowd-sourced intelligence sharing is incredibly valuable. It's one of the ways defenders against attacks have been at a distinct disadvantage. Criminal attackers have a community – they have long shared information quite successfully to facilitate their exploits. I'd cite the many hacker forums with detailed "how-to" information, DDoS for hire, and marketplaces for purchasing malware and stolen credit card information as proof. Couple this with the "attacker's advantage" of choosing where, when and how to launch attacks, and it is no surprise that collaborative hackers appear to be winning against respected brand companies, despite their generous spending on security protection tools. Generally speaking, companies being attacked – and that could be any company of any size, anywhere – aren't well coordinated and are not able to leverage information from others who have been attacked in a similar way. They are alone and disconnected.
We noticed this problem a few years ago. To help fix the problem, AlienVault created the crowd-sourced Open Threat Exchange. Since the launch of OTX two years ago, we have seen substantial growth in participation with more than 450,000 contributions daily across 140 countries—and that's just from our customer and open source user base.
The recent exploits against retailers only came together in the press – there was evidently very little threat sharing or collaboration among retailers before the successful exploit, as the retailers fell like dominoes. Now, the National Retail Federation announced its intent to form a threat sharing and analysis center whereby Retail ISAC can share information of varying levels of sensitivity anonymously and to facilitate peer-to-peer collaboration with the sharing of risk mitigation best practices and cybersecurity research papers, to protect consumer data.
Crowd-sourced threat intelligence should be part of a comprehensive approach to security that includes products that prevent, detect and then help you respond quickly when a breach occurs. We see crowd-sourced threat intelligence becoming a key element of everyone's security tool chest to effectively defend your organization or business from today's advanced threats.
You'll be at Black Hat USA. What are you excited about at the show, and how can companies connect with you there?
Russ Spitler: This year, we are leading up to BlackHat with a number of headline breaches, some major issues in the core of the internet and the long-tail of the snowden revelations. While none of these incidents are unprecedented, the tempo and severity is increasing. I hope this leads us to challenge to our core assumptions and we finally start sincerely beginning the conversation of how we work together to share threat intelligence in all forms.
Stop by booth No. 727, myself and other Alien Heads will be on hand to show you USM and OTX. Looking forward to seeing you at the show.